Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Palo alto cortex xdr 4.0.3 release #2904

Merged
merged 2 commits into from
Oct 28, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions plugins/palo_alto_cortex_xdr/.CHECKSUM
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"spec": "0021d4893d4c50661ed40749bfb99813",
"manifest": "9fd4cfed8de8d55916980ade6ac7ad3a",
"setup": "300ec46a66a2a1a2a434e9d68f841583",
"spec": "5f65f97ed0704bd87cb78e24eb9dc1b3",
"manifest": "094c90db12918a2d28277d8b94124397",
"setup": "67c9748687eb5d9ea0eccfccb53610e1",
"schemas": [
{
"identifier": "allow_file/schema.py",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ from sys import argv

Name = "Palo Alto Cortex XDR"
Vendor = "rapid7"
Version = "4.0.2"
Version = "4.0.3"
Description = "Stop modern attacks with the industry's first extended detection and response platform that spans your endpoints, network and cloud data"


Expand Down
1 change: 1 addition & 0 deletions plugins/palo_alto_cortex_xdr/help.md
Original file line number Diff line number Diff line change
Expand Up @@ -927,6 +927,7 @@ Isolate Endpoint fails with 500 error - This will happen if an isolation action

# Version History

* 4.0.3 - `Monitor Incidents` - Add custom config exception handling
* 4.0.2 - SDK bump to 6.1.4
* 4.0.1 - SDK Bump to 6.1.3
* 4.0.0 - `Get Alerts`: Fixed issue where trigger was failing due to empty and different typed output fields - updated to generic object | Added Monitor_alert tasks | SDK Bump to 6.1.2
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ def run(self, params={}):
)
# Separate the host identifier values
for incident in incidents:
incident["hosts"] = Util.split_list_values(incident.get("hosts", []), ":")
incident["hosts"] = Util.split_list_values(incident.get("hosts", []))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this change also need undone or is it ok to leave in the release?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's okay, I kept it in since its not consequential and has the same functionality, it's just one less manual input for that helper method

# Process incidents from oldest to newest
for incident_time in Util.send_items_to_platform_for_trigger(
self, incidents, Output.INCIDENT, last_event_processed_time_ms, time_field
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -491,9 +491,29 @@ def build_request(self, url: str, headers: dict, post_body: dict) -> Response:

request = requests.Request(method="post", url=url, headers=headers, json=post_body)

custom_config_exceptions = {
HTTPStatusCodes.BAD_REQUEST: PluginException(cause="API Error. ", assistance="Bad request, invalid JSON."),
HTTPStatusCodes.UNAUTHORIZED: PluginException(
cause="API Error. ", assistance="Authorization failed. Check your API Key ID & API Key."
),
HTTPStatusCodes.PAYMENT_REQUIRED: PluginException(
cause="API Error. ",
assistance="Unauthorized access. User does not have the required license type to run this API.",
),
HTTPStatusCodes.FORBIDDEN: PluginException(
cause="API Error. ",
assistance="Forbidden. The provided API Key does not have the required RBAC permissions to run this API.",
),
HTTPStatusCodes.NOT_FOUND: PluginException(
cause="API Error. ",
assistance=f"The object at {url} does not exist. Check the FQDN connection setting and try again.",
),
}

response = make_request(
_request=request,
timeout=60,
exception_custom_configs=custom_config_exceptions,
exception_data_location=ResponseExceptionData.RESPONSE,
allowed_status_codes=[HTTPStatusCodes.UNAUTHORIZED],
)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ def now_ms():
return int(time.time() * 1000)

@staticmethod
def split_list_values(input_list: list, separator: str) -> list:
def split_list_values(input_list: list) -> list:
"""Splits each string in a list based on a separator and returns a list of all separated values
:param input_list: Input list of string
:type input_list: list, required
Expand All @@ -27,9 +27,11 @@ def split_list_values(input_list: list, separator: str) -> list:
output_list = []
for item in input_list:
if isinstance(item, str):
item_split = item.split(separator)
item_split = item.split(":")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this also be undone if we aren't making changes to the triggers?

output_list.extend(item_split)

duplicates = set()

return [item for item in output_list if not (item in duplicates or duplicates.add(item))]

@staticmethod
Expand Down
3 changes: 2 additions & 1 deletion plugins/palo_alto_cortex_xdr/plugin.spec.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ products: [insightconnect]
name: palo_alto_cortex_xdr
title: Palo Alto Cortex XDR
description: Stop modern attacks with the industry's first extended detection and response platform that spans your endpoints, network and cloud data
version: 4.0.2
version: 4.0.3
connection_version: 2
cloud_ready: true
sdk:
Expand Down Expand Up @@ -38,6 +38,7 @@ key_features:
- "Add files to the block or allow lists"
troubleshooting: "Isolate Endpoint fails with 500 error - This will happen if an isolation action (Isolate or Unisolate) is in progress on the selected endpoint. Wait a few minutes and try again."
version_history:
- "4.0.3 - `Monitor Incidents` - Add custom config exception handling"
- "4.0.2 - SDK bump to 6.1.4"
- "4.0.1 - SDK Bump to 6.1.3"
- "4.0.0 - `Get Alerts`: Fixed issue where trigger was failing due to empty and different typed output fields - updated to generic object | Added Monitor_alert tasks | SDK Bump to 6.1.2"
Expand Down
2 changes: 1 addition & 1 deletion plugins/palo_alto_cortex_xdr/setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@


setup(name="palo_alto_cortex_xdr-rapid7-plugin",
version="4.0.2",
version="4.0.3",
description="Stop modern attacks with the industry's first extended detection and response platform that spans your endpoints, network and cloud data",
author="rapid7",
author_email="",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ def check_error():
}
if MockTrigger.actual == expected:
return True

TestCase.maxDiff = None
TestCase.assertDictEqual(TestCase(), MockTrigger.actual, expected)


Expand Down
15 changes: 12 additions & 3 deletions plugins/palo_alto_cortex_xdr/unit_test/test_monitor_alerts.py
Original file line number Diff line number Diff line change
Expand Up @@ -129,23 +129,31 @@ def test_monitor_alerts_pagination(
"Bad Request",
STUB_STATE_ERROR,
PluginException(
data="An error occurred during plugin execution!\n\nThe server is unable to process the request. Verify your plugin input is correct and not malformed and try again. If the issue persists, please contact support."
data="An error occurred during plugin execution!\n\nAPI Error. Bad request, invalid JSON."
),
400,
],
[
"Wrong License",
STUB_STATE_ERROR,
PluginException(
data="An error occurred during plugin execution!\n\nAPI Error. Unauthorized access. User does not have the required license type to run this API."
),
402,
],
[
"Forbidden",
STUB_STATE_ERROR,
PluginException(
data="An error occurred during plugin execution!\n\nThe account configured in your connection is unauthorized to access this service. Verify the permissions for your account and try again."
data="An error occurred during plugin execution!\n\nAPI Error. Forbidden. The provided API Key does not have the required RBAC permissions to run this API."
),
403,
],
[
"Not Found",
STUB_STATE_ERROR,
PluginException(
data="An error occurred during plugin execution!\n\nInvalid or unreachable endpoint provided. Verify the URLs or endpoints in your configuration are correct."
data="An error occurred during plugin execution!\n\nAPI Error. The object at https://example.com/public_api/v1/alerts/get_alerts does not exist. Check the FQDN connection setting and try again."
),
404,
],
Expand All @@ -166,6 +174,7 @@ def test_monitor_alerts_error_handling(
error_msg: Union[str, PluginException],
error_code: int,
) -> None:

# This if statement is to handle the "if not type response" statement specifically
if error_code == 500:
mocked_response = mock_conditions(200, file_name="monitor_alerts_faulty_response")
Expand Down
Loading